Malware is an ever-present threat in a computing landscape in which devices are connected to each other. Attackers with various motives seek to propagate malicious software. The damage inflicted by malicious software can range anywhere from minor annoyance to widespread catastrophic system failures. Thus, many resources are devoted to protecting computers and other devices from malware attacks.
Protection against malware takes many different forms, which reflects the fact that there is a large number of different ways to mount an attack. For example, popular products such as free document readers and browser plug-ins are common attack vectors. Thus, the makers of these products update their products to resist attacks when the attacks have been discovered. Likewise, operating systems may provide opportunities for attack, and the makers of operating systems regularly provide updates to resist known attacks. Virus detectors monitor systems for behaviors that are known to be associated with viruses (e.g., certain types of buffer overflows that serve as attack vectors to install viruses). These virus detectors also monitor for the presence of files that have been known historically to be associated with malware.
However, these techniques are mainly based on detecting and preventing successful attacks that have already been observed with a fairly frequent occurrence. For example, if a successful virus attack has been launched and detected “in the wild,” a virus detector can be updated to recognize the signature of that particular virus. If a browser plug-in has been used for an attack, the maker of that plug-in can analyze the attack and update the plug-in to resist that type of exploit. If the overflow of a particular buffer is known to have been used as part of an attack, then the measure of watching the buffer to see if it overflows can be used to detect other attacks. But these techniques are based on the assumption that future attacks will look like past attacks that have succeeded.